Malware attacks are growing despite advancement in recent hardware and software mitigation techniques. Attackers have developed techniques to avoid being detected by anti-virus (AV) vendors. Some exploitation techniques in use today are known as Return Oriented Programming (ROP), Call Oriented Programming (COP), and Jump Oriented Programming (JOP). ROPs, COPs, and JOPs are code reuse attacks which allow attackers to construct malicious code from small fragments (gadgets) of the exploited applications, thus eliminating the need for code injection.
These exploits bypass mitigation techniques such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) because code reuse techniques provide attackers enough flexibility to customize the exploits and avoid security controls—a real advantage in the cyber “cat and mouse” game.
Modern computer processing elements have a Performance Monitoring Unit (PMU) for monitoring behavioral data about selected events. The diagram in FIG. 7 illustrates the core PMU and related registers 700 on Intel x86 processors. Processors from different manufacturers may have similar PMUs, although architectural details may differ. The PMU 710 has a plurality of fixed purpose counters 720. Each fixed purpose counter 720 can count only one architectural performance event, thus simplifying the configuration part. In addition to the fixed purpose counters 720, the Core PMU also supports a plurality of general purpose counters 730 that are capable of counting any activity occurring in the core. Each Core PMU 710 also has a set of control registers 740, 760, to assist with programming the fixed purpose counters 720 and general purpose counters 730. The PMU 710 also has Event Select registers 750 that correspond to each fixed purpose counter 720 and general purpose counter 730, which allows for specification of the exact event that should be counted. A global control register 760 allows enabling or disabling the counters 720, 730. A global status register 770 allows software to query counter overflow conditions on combinations of fixed purpose counters 720 and general purpose counters 730. A global overflow control register 780 allows software to clear counter overflow conditions on any combination of fixed-purpose counters 720 and general purpose counters 730. The elements illustrated in FIG. 7 are illustrative and by way of example only, and other elements and arrangements of elements may be provided as desired.
Modern processor architectures also provide a branch recording mechanism. Typically, the last branch recording mechanism tracks not only branch instructions (like JMP, Jcc, LOOP, and CALL instructions), but also other operations that cause a change in the instruction pointer, like external interrupts, traps, and faults. The branch recording mechanisms generally employ a set of processor model specific registers, referred to as a last branch record (LBR) stack, each entry of which stores a source address and a destination address of the last branch, thus the LBR stack provides a record of recent branches. Some embodiments of an LBR stack may also record an indication of whether the branch was mispredicted, i.e., one or more of the target of the branch and the direction (taken, not taken) was mispredicted. In addition, control registers may allow the processor to filter which kinds of branches are to be captured in the LBR stack. FIG. 8 is a block diagram illustrating an LBR stack 800 with two sets of registers 810A and 810B. Each LBR stack entry 810 includes one register with a from address field 820 and a mispredicted indicator 830, and another register with a to address field 840. Although only 2 LBR stack entries 810 are illustrated in the LBR stack 800 of FIG. 8 for clarity, implementations typically have more LBR stack entries 810. Although illustrated with the mispredict indicator as part of the register containing the from address 820, embodiments may place the mispredict indicator as part of the register containing the to address 840, or may place the mispredict indicator in a third register (not shown in FIG. 8). Other fields may be included in the LBR stack 800 as desired.
One of the ways the Event Select registers 750 may be configured is to cause the PMU 710 to count branch mispredict events. These events may be caused by ROP and JOP exploits, as well as for other reasons. Where branch capture filtering is available, the filter may be employed to limit the captured branches to those of interest in ROP or JOP exploits. For JOP exploits, the branches of interest are typically near indirect jumps. For ROP exploits, the branches of interest are typically CALLs or RETs. However, embodiments may filter other types of branches or do no branch capture filtering, if desired. For example COPs use gadgets that end with indirect CALL instructions. In COP exploits, gadgets are chained together by pointing the memory-indirect locations to the next gadget in sequence. COP exploits may be detected using a similar approach to that used for detecting ROP and JOP exploits, with the branches of interest being CALLs.
However, current solutions suffer from a limitation: in order to ensure usability, detection efficacy, and to make bypasses hard or non-economical there is a need to monitor multiple PMU elements and apply complex detection algorithms, which leads to performance overhead. Compromises have been made to achieve good performance by sacrificing expensive analysis and more frequent monitoring of the counters. Unfortunately, this opens a possibility for crafting some code reuse attacks.